Identifying a Compromised WordPress Site
-
Upload
chris-burgess -
Category
Software
-
view
2.452 -
download
0
Transcript of Identifying a Compromised WordPress Site
![Page 1: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/1.jpg)
Identifying a Compromised WordPress Site
@chrisburgess #wpmelb
![Page 2: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/2.jpg)
Prevention is the holy grail, however it’s not the topic of this
talk.
![Page 3: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/3.jpg)
You can’t always prevent, so you must detect.
![Page 4: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/4.jpg)
Even if we’re doing everything possible to harden and maintain our
installations, we should still care about security to monitor our high
value sites.
![Page 5: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/5.jpg)
![Page 6: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/6.jpg)
Is Penetration Testing Worth it? There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you're going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money. If neither is true, I'm going to save you a lot of money by giving you this free penetration test: You're vulnerable. Now, go do something useful about it. -- Bruce Schneier
http://www.schneier.com/blog/archives/2007/05/is_penetration.html
![Page 7: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/7.jpg)
The following examples are often the first signs of a
successful attack.
![Page 8: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/8.jpg)
![Page 9: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/9.jpg)
![Page 10: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/10.jpg)
![Page 11: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/11.jpg)
![Page 12: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/12.jpg)
Ahrefs and Google Search Console
![Page 13: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/13.jpg)
Real example of anchor text from Ahrefs
![Page 14: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/14.jpg)
Real example of a malicious plugin.
![Page 15: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/15.jpg)
Real example of a malicious plugin.
![Page 16: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/16.jpg)
This shouldn’t be the first sign of a compromised site. There
are usually plenty of early warning signs.
![Page 17: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/17.jpg)
But first…
![Page 18: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/18.jpg)
![Page 19: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/19.jpg)
Links to the Quora Article
• https://www.quora.com/I-am-powering-a-banks-website-using-WordPress-What-security-measures-should-I-take
• https://ma.tt/2015/04/a-bank-website-on-wordpress/
• https://wptavern.com/banking-on-wordpress-matt-mullenweg-weighs-in-on-security-concerns
![Page 20: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/20.jpg)
h"ps://www.quora.com/I-am-powering-a-banks-website-using-WordPress-What-security-measures-should-I-take/answer/Karol-Krol?srid=uD68
![Page 21: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/21.jpg)
Let’s ask another question. Is Linux secure? Is Django secure? Is iOS
secure? Is MySQL secure? Is Drupal secure? Is Node.JS secure? Is <insert browser> secure? Is
Android secure? Is Rails secure? Is Windows Server secure? Is Shopify
secure? You get the idea…
This can get subjective, since some have a much better track record than others, and
some are designed with security as a priority.
![Page 22: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/22.jpg)
So.. banks aside, what would constitute as a high value
target?
![Page 23: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/23.jpg)
High traffic sites, anything with Personally Identifiable
Information (PII), software vendors, service providers?
![Page 24: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/24.jpg)
![Page 25: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/25.jpg)
![Page 26: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/26.jpg)
![Page 27: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/27.jpg)
Credit card numbers aren’t the only form of sensitive
information.
![Page 28: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/28.jpg)
It’s really easy to say “something isn’t secure”.
![Page 29: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/29.jpg)
It’s much harder to actually build something that is secure (knowing that there’s no such
thing as absolute security).
![Page 30: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/30.jpg)
The best answer is that if security is important, you need
“people” working on it.
![Page 31: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/31.jpg)
The Internet is a hostile environment. We need to have a healthy respect for this fact.
![Page 32: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/32.jpg)
The current dilemma…
![Page 33: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/33.jpg)
Hosting Providers
![Page 34: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/34.jpg)
Plugins
![Page 35: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/35.jpg)
Systems and Services
![Page 36: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/36.jpg)
Users
![Page 37: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/37.jpg)
Good Developers
![Page 38: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/38.jpg)
Good Support, Ops and SysAdmins
![Page 39: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/39.jpg)
A high value business needs good people, from all of these disciplines, working together.
![Page 40: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/40.jpg)
h"p://www.sentrillion.com/images/img_defense-in-depth.jpg
![Page 41: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/41.jpg)
Real example of a malicious file
![Page 42: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/42.jpg)
You can’t rely only on tools, they won’t always detect a
compromise.
![Page 43: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/43.jpg)
Most WordPress security tools work by using signatures.
For context, Kaspersky AV for Windows currently has around
500,000 signatures.
![Page 44: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/44.jpg)
Scanning your site with online tools work only if your site has active malware, is defaced or
blacklisted.
![Page 45: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/45.jpg)
If a site has been compromised, it cannot be trusted.
![Page 46: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/46.jpg)
example.com/index.php
![Page 47: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/47.jpg)
example.com/otherapp/
![Page 48: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/48.jpg)
example.com/*
![Page 49: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/49.jpg)
example.com/*
![Page 50: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/50.jpg)
Isolation
Look out for a shared web root, addon domains in cPanel, or other web apps in
subfolders.
![Page 51: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/51.jpg)
We’re going to assume a fresh WordPress install, or restoration from a clean backup is needed
![Page 52: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/52.jpg)
Places/things to check… • Content/files (htaccess, index.php, sitemap.xml, anything
custom) • Running processes • Running scripts, open files (look at full paths in processes) • Memory • Cron jobs • Database • Date and timestamps • Suspicious plugins • Suspicious directories/files • Sitemaps/SERPs • WordPress Admin Users • Other users in GSC/WMT • Code audit
![Page 53: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/53.jpg)
Checking Content
• grep • Screaming Frog (useful for finding JS) • Sucuri SiteCheck • UnmaskParasites.com • Safe Browsing Site Status (Google)
![Page 54: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/54.jpg)
![Page 55: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/55.jpg)
![Page 56: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/56.jpg)
![Page 57: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/57.jpg)
![Page 58: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/58.jpg)
![Page 59: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/59.jpg)
Once the server has been compromised, it cannot be
trusted.
![Page 60: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/60.jpg)
Tools for Detection
• System Monitoring • Integrity Monitoring • Firewalls • IDS/IPS • Malware Scanners • Logging
![Page 61: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/61.jpg)
System Monitoring
• Resources (Bandwidth/CPU/RAM/IO) • Logins • Processes
![Page 62: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/62.jpg)
Integrity Monitoring
• git • wp-cli • Any diff tools • Plugins • Tripwire (and similar)
![Page 63: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/63.jpg)
wp-cli’s Verify Checksums
$ wp core verify-checksums Success: WordPress install verifies against checksums.
Thanksto@davemacforthisKp!
![Page 64: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/64.jpg)
Firewalls
• Network Firewalls • Web Application Firewalls • Security Services
![Page 65: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/65.jpg)
IDS/IPS
• Typically at the host level • OSSEC
![Page 66: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/66.jpg)
Malware Detection
• Security Plugins • Commercial AV • Public Site Scanning • Google Search Console • ConfigServer eXpliot Scanner (for WHM/
cPanel) • Maldet/ClamAV
![Page 67: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/67.jpg)
Logging
• /var/log (access, error, php) • Centralised Logging or Log Shipping
(Papertrail, Loggly, Splunk, Logstash etc.) • Audit trails (Stream/WP Audit Trail etc.)
![Page 68: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/68.jpg)
WPScan WordPress Scanner
![Page 69: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/69.jpg)
WPSecurityBloggers.com
![Page 70: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/70.jpg)
Use a security plugin (or manually harden)
https://www.wordfence.com/
https://sucuri.net/
https://ithemes.com/security/
![Page 71: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/71.jpg)
Final Words… Security issues typically occur because of certain patterns. Cleaning, restoring or rebuilding doesn’t address that. Compromised sites are much more likely to become compromised again. Get everyone on board to take security seriously.
![Page 72: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/72.jpg)
Prevention and Response
Hardening/Prevention: • https://codex.wordpress.org/
Hardening_WordPress Post-hack/Response: • https://sucuri.net/website-security/what-
to-do-after-a-website-hack/
![Page 73: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/73.jpg)
• WordPress.org – wordpress.org/about/security – wordpress.org/news/category/security
• Verizon DBIR http://www.verizonenterprise.com/
• verizon-insights-lab/dbir/ • Sucuri https://sucuri.net/ • WP White Security
https://www.wpwhitesecurity.com/ • OWASP http://owasp.org/
![Page 74: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/74.jpg)
wpmelb.org/slack
![Page 75: Identifying a Compromised WordPress Site](https://reader030.fdocuments.net/reader030/viewer/2022021507/5879e1921a28ab15288b4b13/html5/thumbnails/75.jpg)
Thanks and stay safe!
@chrisburgess #wpmelb